Rite Aid fined $1M following WTHR investigation

Bob Segall found pharmacies all over the country were tossing patient information in unsecured dumpsters.

Bob Segall/13 Investigates

Indianapolis - Rite Aid Corporation has agreed to pay $1 million to settle privacy violations documented by WTHR. The settlement was announced Tuesday afternoon by the U.S. Department of Health and Human Services following a 4-year investigation. Federal investigators launched their probe as a result of 13 Investigates' 2006 "Prescription Privacy" investigation that found Rite Aid and other national pharmacy chains jeopardized the privacy of millions of patients by placing their private healthcare information into unsecured dumpsters outside the drug stores.

Rite Aid, the nation's third largest drug store chain, has agreed to take corrective action to improve policies and procedures to safeguard the privacy of its customers when disposing of identifying information on pill bottle labels and other health information, according to a release issued by HHS. In a coordinated action, Rite Aid also signed a consent order with the Federal Trade Commission to settle violations of the FTC Act. The FTC charges Rite Aid failed to protect sensitive financial and medical information of its customers by failing to maintain adequate disposal policies and by failing to properly train its employees.

"Companies that say they will protect personal information shouldn't be tossing patient prescriptions and employment applications in an open dumpster," said Jon Leibowitz, Chairman of the Federal Trade Commission. "We hope other organizations will learn from the FTC' sanction against Rite Aid to take their obligation to protect consumers' personal information seriously."

In 2006, after exposing improper disposal practices at Walgreens and CVS drug stores around the Indianapolis-metropolitan area, WTHR traveled to pharmacies in other cities to see if the drug store chains engaged in similar privacy violations there, as well. From Miami and Denver to Boston and Phoenix, WTHR discovered the nation's largest drug stores repeatedly threw away sensitive patient information into unsecured dumpsters. While Rite Aid does not operate any pharmacies in central Indiana, 13 Investigates did find sensitive patient information in Rite Aid dumpsters in Cleveland, Louisville, Philadelphia, Denver and the Detroit metropolitan areas. The FTC and HHS' Office of Civil Rights began investigating the privacy breaches after viewing WTHR's investigation.

"The video and TV reports not only helped to bring the particular incidents to our attention, but it was also a way to bring these widespread practices to light," said Susan McAndrew, of HHS' Office of Civil Rights. "We were particularly interested in making sure the large pharmacy chains were investigated."

Today's announcement marks the second-largest settlement in U.S. history for a company charged with violating patient privacy regulations established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The largest settlement -- a $2.25 million settlement agreement announced last year between HHS and CVS – also resulted from WTHR's "Prescription Privacy" investigation. In the coming months, federal regulators are expected to announce the results of their ongoing investigation into apparent privacy violations WTHR documented at multiple Walgreens locations.

"I think it would be highly unlikely for Walgreens to get off scott-free given the fact there's been enforcement action against the other two pharmacies," said Joan Antokol, an international privacy specialist and attorney at Indianapolis-based Park International law firm. "I certainly think we will see enforcement against Walgreens, as well. Unless there are circumstances we are not aware of, it might be a case where regulators are saving their biggest [settlement] for last."

Walgreens says operates more than 8,000 drug stores nationwide, CVS has more than 7,000 pharmacies, and Rite Aid operates approximately 4,800.

While Rite Aid does not admit any formal HIPAA violations, McAndrew says regulators found significant "indications of non-compliance" that suggest Rite Aid failed to meet federal privacy rules and standards with which the company is required to comply.

Rite Aid spokeswoman Cheryl Slavinsky issued the following statement in response to the settlement:

"In the fall of 2007 Rite Aid immediately cooperated with FTC's request for an investigation. We began to review and strengthen procedures we already had in place which included increasing associate awareness and making sure when disposing of any patient information that the information went into a special bag that was to be taken back to our distribution centers and destroyed. We have also been enhancing our HIPPA training program to allow for better training and monitoring. We will continue to work with the FTC and HHS to make sure our comprehensive policies and procedures are working and being followed across the chain. We are not aware of any harmful incidents arising to customers or patients from the incidents."